COMMON ISSUES AFFECTING SECURITY USABILITY

Transcription

1 Evaluating the usability impacts of security interface adjustments in Word 2007 M. Helala 1, S.M.Furnell 1,2 and M.Papadaki 1 1 Centre for Information Security & Network Research, University of Plymouth, Plymouth, United Kingdom 2 School of Computer and Information Science, Edith Cowan University, Perth, Western Australia cisnr@plymouth.ac.uk Abstract Prior research has suggested that integrating security features with user goals and increasing their visibility would improve the usability of the associated functionalities. This paper investigates how these approaches affect the efficiency of use and the level of user satisfaction. The user interface of Word 2007 was modified according to these principles, with usability tests being conducted with both the original and the modified user interfaces. The results suggest that integrating security features with user goals improves the efficiency of use, but the impacts upon user satisfaction cannot be clearly identified based on the collected data. No indications of any major improvements in the efficiency of use or user satisfaction are found when the visibility of security features is increased. The combination of these two methods seems to improve both the efficiency of use and the resulting user satisfaction. Keywords Usability, Security, Visibility, Feature Integration, User Goals. INTRODUCTION Several usability studies have been conducted in order to evaluate different security tools and security features in other applications. In some cases the articles describing these studies have even suggested improvements to the studied applications and tools. However, solutions that could be applied to a wide range of applications would be more beneficial for user interface (UI) designers and software developers. Therefore this paper concentrates on presenting common usability issues and solutions that could be used in several everyday applications. The impacts these solutions have on efficiency of use and user satisfaction are also considered. COMMON ISSUES AFFECTING SECURITY USABILITY A variety of factors may potentially affect users ability to understand and use security. Key issues motivating the approach in this study are described in the subsections that follow. Security tasks are not integrated with user goals

2 Dourish et al. (2004) and Smetters and Grinter (2002) have criticised the way security features are presented in many applications. They have argued that the features are not integrated well enough with the tasks users need to do. This can lead to situations in which users cannot use applications or tools in a way that would be natural to them or to the tasks they are trying to complete. Smetters and Grinter (2002) highlight an example of such a situation. They found in their study that from time to time users had to manually change relevant security settings before carrying out certain tasks and then restore the previous settings afterwards. Clearly, having to turn off or bypass security features in this way increases the risk of user errors which can potentially compromise security. It can be argued that if security aspects of a task that users wish to do were integrated with other aspects of the task, it would be easier for them to complete the task successfully. In addition, according to Balfanz et al. (2004) users tend to think about security in the context of the tasks they need to do rather than as security terms, such as certificates or encryption keys. Hence it could be beneficial to integrate security with these tasks so that users do not need to take separate steps in order to achieve the security aspects of their tasks. Lack of visibility The visibility of security related functionalities is often not sufficient for users to notice them easily (Furnell, 2005). Therefore users might not utilise some important security features simply because they have not come across them. In addition, Tognazzini (2003) stated that users of any applications should not be expected to search for features and functionalities. This clearly implies that if average users are expected to utilise different security features in everyday applications, these features should be presented in a way that users will encounter them while using other aspects of these applications. Another important consideration, as observed by Dourish et al. (2004), is that security is not the main concern for most users when they are using IT in their everyday lives. Furthermore, as identified by De Witt and Kuljis (2006), users will often try to get their work done quickly even at the cost of security. The results of their research indicated that this common attitude was not dependent on users security awareness. Even users who were aware of the security consequences of this kind of behaviour often had the same approach. These findings provide further support for the idea that security should be given enough emphasis when designing UIs. If these features are hidden in different menus users can easily give up searching for them or might not even look for them in the first place. USABILITY TEST METHODOLOGY Based on the findings presented above it was decided to test the extent to which integrating security features with user goals and increasing the visibility of the features would affect their usability in everyday applications. In order to limit problems arising from general unfamiliarity, it was decided to base the study upon an application that was likely to be broadly familiar to participants. In addition, it was considered desirable to select a context in which security was available but not necessarily a main priority for users (i.e. such that they would not be inclined to

3 make significant effort to employ it if they were hindered by the usability). From these criteria, Microsoft Word 2007 was selected as the basis for evaluation. Given that the presentation of security features within this application have previously been critiqued in earlier work from Furnell (2007), selecting the application for use in this study also provided an opportunity to address some of the concerns. In order to do this the UI regarding these features was modified with a Word 2007 add-in. User interface modifications The visibility of protecting documents against unauthorised access and modifications was increased. This was achieved by adding a Security Options button to the Save As dialog and removing the General Options menu item from the Tools menu. The General Options dialog that previously presented the protection settings was also replaced with a new Document Level Security Options as shown in Figure 1. (a)

4 (b) Figure 1: The Save As dialog in (a) original form with General Options dialog from the Tools button and (b) modified form with Document Level Security Options dialog from a new Security Options button An effort was made to integrate security features and user goals in three cases. Users were given an option to create documents with access and editing restrictions as well as documents with increased privacy level. This was done by adding menu options to the Office Button as shown in Figure 2. Both of the improvements were tested in two cases: controlling metadata, such as author name and revision number, that is saved with an existing document and controlling the metadata that is saved with all new documents by default. In this paper these are referred to as document level privacy settings and application wide privacy settings respectively. Figure 2: The options from the Office Button in its modified (left) and original (right) forms

5 In the case of document level privacy settings users were able to select the metadata they wanted to be saved with a document instead of having to inspect the document and then remove the unwanted details with the Document Inspector. This was made possible through a privacy tab in the Document Level Security Options dialog as illustrated on the left side of Figure 3. This was done in order to integrate the user goals and the security functionality. In addition the Security Options button that was mentioned earlier was used for increasing the visibility of this feature. Figure 3: The privacy tabs of the new Document Level Security Options and Application Wide Security Options dialogs The visibility of application level privacy settings was increased by adding a Word Security Options button into the modified Office Button menu as shown in Figure 2. Clicking this button opened a dialog shown on the right side of Figure 3. The same approach of integrating this functionality with user goals was used as in the case of document level privacy settings. In the original solution there was no straightforward way of controlling all the metadata described above. It was only possible to remove the default author name through the User name field in the Word Options. In order to do anything beyond this users were required to modify the Normal.dotx template, which is by default used as a template for all new documents. The new approach saved users from inspecting this template with the Document Inspector and removing any unwanted metadata this way. Usability tests Ten users participated in the practical tests. Six of the participants rated themselves as advanced IT users and the rest regarded themselves as intermediate users. All participants used computers daily. In addition all but two of them had prior experience with the Word 2007 (with these two still users of Word 2003). The usability tests consisted of seven different security related tasks, as shown in Table 1, that users might encounter in their day-to-day use of any word processor. In each of these tasks users were required to utilise the features described earlier in this chapter. In addition the users were asked to do all tasks with both the original Word 2007 UI and the modified UI. If users had been divided into two groups each testing only one UI, the variation in the skills and performance of individual users could have caused significant difference between the groups (Nielsen, 1993, pp.178-9). In

6 order to avoid bias caused by this, within-subjects testing was used. In addition, the problems caused by skills transferred between the two UIs was controlled by asking half of the participants to test the modified UI first and the other half to test the original one first as suggested by Nielsen (1993, p.179). Task number Task description 1 Create a new document with restricted access. 2 Restrict access to an existing document. 3 Create a new document that does not contain any personal details in the metadata. 4 Remove personal details from the metadata of an existing document. 5 Create a new read only document. 6 Convert an existing document to a read only document. 7 Change the privacy settings so that by default no personal details will be included in the metadata of new documents. Table 1: Tasks used in the usability tests The efficiency of use was estimated by measuring the completion times and success rates for all tasks. In addition subjective user satisfaction was estimated by recording user opinions regarding the ease of use and preference on certain areas of the UIs. The ease of use was measured with the following 5-point scale: very difficult, difficult, neither easy nor difficult, easy, and very easy. To make comparison between the two UIs easier geometric means were calculated for the completion times and the ease of use. In order to do this for the ease of use, the 5-point scale was represented with a linear numeric scale so that very difficult was given the value 1 and very easy the value 5. RESULTS The following subsections consider the findings in relation to the key factors of user efficiency in performing the tasks and their associated satisfaction with the system when attempting to do so. Efficiency The efficiency of the interfaces was judged in terms of the number of users able to complete each task (shown in the left-hand graph of Figure 4) and the average time that each of the tasks took (shown in the right-hand of the Figure). In terms of task success, it can be seen that while four cases were broadly similar regardless of interface, tasks 1, 3 and 7 fared significantly better under the new design. In terms of completion times the only major difference between the two UIs was noted in task 3, with the modified UI enabling the task to be completed significantly more quickly.

7 Figure 4: User efficiency in terms of task success rates (left) and geometric means of task completion times (right) User satisfaction Users were asked to indicate which interface (original or modified) they preferred for several of the key tasks, as well as to rate the ease of use in each of these contexts. These questions enabled an assessment of their basic preference as well as the extent to which they felt the original and modified interfaces affected their experience. As can be seen in the left-hand graph in Figure 5, there was a clear preference towards the modified interface in most cases, with only the document level protection settings giving a somewhat more mixed result. Similarly, the modified interface was generally favoured in terms of the perceived ease of use. However, as the right-hand graph in Figure 5 shows, the document level protection settings again divided opinion more equally. Figure 5: User satisfaction measured via interfaces preferences (left) and ease of use ratings (right) DISCUSSION Having examined the underlying results, this section considers the overall effectiveness of the different forms of UI adjustment that were made, examining them individually and in combination. Integrating security features with user goals Integrating security features and user goals was tested in tasks 1, 3 and 5. The completion times for task 3 suggested that this approach would improve the efficiency of using the functionality in question. In addition, the success rates were higher for the modified UI which supports this finding. However, only one

8 participant managed to complete the task 3 successfully with the original UI while only three participants out of ten failed the task with the modified one. Hence the task completion times might not be comparable. On the other had the poor success rate shows that the original UI was not very efficient in this respect. The success rates for task 1 support the effectiveness of the improvements used in the modified UI regarding this task. Thus it can be argued that integrating security features and user goals increases the efficiency of using them. User satisfaction concerning document level privacy settings was higher for the modified UI as it scored higher in terms of users opinions regarding ease of use and user preference. Tasks 3 and 4 involved document level privacy settings. Task 3 tested the impacts of unifying security features with user goals while task 4 tested the effects of combining this modification with increasing the visibility of the relevant functionality. However, due to the phrasing of the questions presented to the participants, it was not possible to say which one they referred to when rating the ease of using or preference regarding document level privacy settings. Increasing visibility of security features The results did not show any major differences between the two UI in the tasks 2 or 6 which tested the effects of increasing visibility of security features. Similar task completion times and success rates were recorded for both UIs in these tasks. Similarly, no indications were found that this approach would increase the level of user satisfaction. Nevertheless, there were no indications of decreased levels of usability when this method was used. Assessing the effect of the combined modifications Tasks 4 and 7 tested the combination of integrating security features with user goals and increasing their visibility. In task 7 more users completed the task successfully with the modified UI. In fact none of the participants managed to complete this task successfully with the original user interface. Thus the completion times could not be compared. In task 4 no major differences were found between the two UIs in terms of efficiency of use. Tasks 3 and 4 involved controlling document level privacy settings. As mentioned earlier in this chapter, it could not be determined from the collected data which task users referred to when giving their opinion regarding ease of use and preference. Therefore, based on task 4 conclusions could not be made regarding the effectiveness of the combination of these modifications. In case of task 7, however, users rated the modified UI higher in terms of ease of use. In addition most users preferred the modified UI in this case. Hence it can be argued that the combination of integrating security features with user goals and increasing their visibility improves both the efficiency of use and subjective user satisfaction. CONCLUSIONS The results have indicated that at least in some cases integrating security features with user goals would improve the efficiency of using these features. Two out of three test cases showed improvements in efficiency of use when this approach was used. It could not be clearly identified from the collected data if this approach improved subjective user satisfaction. No indications of improvements in efficiency

9 of use or subjective user satisfaction were found when the visibility of security features was increased. On the other hand this approach does not seem to decrease the usability either. The combination of the two improvements mentioned above seemed to increase the efficiency of use and user satisfaction in one of the two test cases. In order to verify the results presented in this paper, further studies should be carried out with larger and more diverse groups of test users. In addition, the reliability of the results could be increased by testing the effects that different improvements have on the same functionalities and by carrying out similar tests with other applications as well. REFERENCES Balfanz, D., Durfee, G., Smetters, D.K. and Grinter, R.E., (2004), In search of usable security: five lessons from the field, IEEE Security & Privacy, Vol. 2, No. 5, pp DeWitt, A.J. and Kuljis, J., (2006), Aligning usability and security: a usability study of Polaris, Proceedings of the second symposium on Usable privacy and security. Pittsburgh, Pennsylvania, USA: ACM, pp Dourish, P. Grinter, E., Delgado de la Flor, J. and Joseph, M., (2004), Security in the wild: user strategies for managing security as an everyday, practical problem Personal Ubiquitous Comput., Vol. 8, No. 6, pp Furnell, S., (2005), Why users cannot use security, Computers & Security, Vol. 24, No. 4, pp Furnell, S.M., (2007), Making security usable: Are things improving?, Computers & Security, Vol. 26, No. 6, pp Nielsen, J., (1993), Usability Engineering, Academic Press, San Diego, ISBN: Smetters, D.K. and Grinter, R.E., (2002), Moving from the design of usable security technologies to the design of useful secure applications NSPW '02: Proceedings of the 2002 workshop on new security paradigms, New York, NY, USA: ACM, pp Tognazzini, B., (2003), First Principles of Interaction Design, (Accessed 14 January 2008).